CVE-2025-68601

Five Star Restaurant Reservations <= 2.7.8 - Cross-Site Request Forgery

mediumCross-Site Request Forgery (CSRF)
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
2.7.9
Patched in
49d
Time to patch

Description

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.8. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVE-2026-0658 might be a duplicate of this issue.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.7.8
PublishedDecember 24, 2025
Last updatedFebruary 10, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

This exploitation research plan targets **CVE-2025-68601**, a Cross-Site Request Forgery (CSRF) vulnerability in the **Five Star Restaurant Reservations** plugin (versions <= 2.7.8). --- ### 1. Vulnerability Summary The Five Star Restaurant Reservations plugin fails to implement or incorrectly val…

Show full research plan

This exploitation research plan targets CVE-2025-68601, a Cross-Site Request Forgery (CSRF) vulnerability in the Five Star Restaurant Reservations plugin (versions <= 2.7.8).


1. Vulnerability Summary

The Five Star Restaurant Reservations plugin fails to implement or incorrectly validates WordPress nonces in several of its administrative AJAX and form processing handlers. Specifically, functions related to booking status management and plugin settings do not call check_admin_referer() or check_ajax_referer() before executing state-changing operations. This allows an unauthenticated attacker to craft a malicious request that, when executed by a logged-in administrator (e.g., via a phishing link or malicious site), performs unauthorized actions such as modifying reservation statuses or changing global plugin configuration.

2. Attack Vector Analysis

  • Target Endpoint: wp-admin/admin-ajax.php (for AJAX-based actions) or wp-admin/admin-post.php (for settings forms).
  • Vulnerable Action: rtb_admin_update_booking_status (inferred AJAX action) or rtb-settings (inferred settings handler).
  • Payload Parameter: status, booking_id, or setting-specific keys (e.g., rtb-admin-email).
  • Authentication Level: Unauthenticated (attacker) triggering a request via an Authenticated Administrator (victim).
  • Preconditions: The victim must be logged into the WordPress dashboard with administrative privileges for the plugin.

3. Code Flow (Inferred)

  1. Entry Point: An administrator clicks a malicious link or visits a page containing an auto-submitting form.
  2. Hook Registration: The plugin registers AJAX handlers during init or inside an admin-specific class constructor:
    add_action( 'wp_ajax_rtb_admin_update_booking_status', array( $this, 'update_booking_status' ) );
  3. Vulnerable Function: The handler function (e.g., update_booking_status) is invoked.
  4. Missing Check: The code immediately proceeds to process $_POST data without a call to check_ajax_referer( 'rtb-admin-nonce', 'nonce' ).
  5. Sink: The function calls update_post_meta() or $wpdb->update() to change the reservation state or update_option() to save settings.

4. Nonce Acquisition Strategy

According to the CVE description, the vulnerability exists because of missing or incorrect validation.

  • If validation is missing: No nonce is required. The exploit payload simply omits the nonce parameter.
  • If validation is incorrect (e.g., using a public nonce):
    1. The plugin often enqueues its dashboard scripts.
    2. Identify the localized JS object. Common object name for this plugin: rtb_admin (inferred).
    3. Extraction Steps:
      • Create a page containing the booking dashboard (if needed): wp post create --post_type=page --post_status=publish --post_content='[booking-dashboard]' (inferred shortcode).
      • Navigate to the page using browser_navigate.
      • Execute: browser_eval("window.rtb_admin?.nonce") to extract the token.

5. Exploitation Strategy

We will demonstrate the CSRF by changing the status of an existing reservation.

Step 1: Identify a Booking ID
First, we must have a booking to target. We will identify the ID of an existing reservation.

Step 2: Craft the CSRF Request
We will use the http_request tool to simulate the request that the Admin's browser would send.

  • Method: POST
  • URL: https://[target-site]/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=rtb_admin_update_booking_status&booking_id=[ID]&status=closed
    

6. Test Data Setup

  1. Install Plugin: Ensure version 2.7.8 is active.
  2. Create a Reservation:
    Use WP-CLI to create a dummy reservation post (this plugin uses a custom post type rtb-booking):
    wp post create --post_type=rtb-booking --post_title="Test Reservation" --post_status=publish
    
  3. Get ID: Note the ID of the created post.
  4. Verify Initial State: Check that the reservation status is 'pending' or 'confirmed'.

7. Expected Results

  • The admin-ajax.php request returns a 200 OK response, likely with a JSON body: {"success":true}.
  • The reservation's metadata or status in the database is updated to "closed" or "rejected" despite no nonce being provided in the request.

8. Verification Steps

After sending the http_request, verify the change via WP-CLI:

# Check the post meta for the specific booking ID
wp post meta get [ID] rtb_status

If the status has changed to the value specified in the attack payload, the CSRF is confirmed.

9. Alternative Approaches

If the rtb_admin_update_booking_status endpoint is protected, target the global settings save:

  • Action: admin-post.php?action=rtb-settings
  • Payload: Change the rtb-admin-email to an attacker-controlled address.
  • Verification: wp option get rtb-settings (the plugin often stores settings as an array in a single option).

If a nonce is required but the validation is "incorrect," check if the plugin accepts a nonce generated for a different, lower-privileged action (Nonce Re-use) or if the die parameter in check_ajax_referer is set to false without checking the return value.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 2.7.8. This occurs because the plugin fails to perform nonce validation on administrative actions such as updating booking statuses, allowing an attacker to trick a logged-in administrator into modifying reservation data via a forged request.

Vulnerable Code

// Inferred from research plan and common plugin structure
// lib/Admin.class.php (approximate)

public function update_booking_status() {
    // Missing check_ajax_referer() or check_admin_referer() call here

    $booking_id = isset($_POST['booking_id']) ? intval($_POST['booking_id']) : 0;
    $status = isset($_POST['status']) ? sanitize_text_field($_POST['status']) : '';

    if ($booking_id && $status) {
        update_post_meta($booking_id, 'rtb_status', $status);
        wp_send_json_success();
    }

    wp_send_json_error();
}

Security Fix

--- a/lib/Admin.class.php
+++ b/lib/Admin.class.php
@@ -10,6 +10,8 @@
 	public function update_booking_status() {
 
+		check_ajax_referer( 'rtb-admin-nonce', 'nonce' );
+
 		$booking_id = isset( $_POST['booking_id'] ) ? intval( $_POST['booking_id'] ) : 0;
 		$status = isset( $_POST['status'] ) ? sanitize_text_field( $_POST['status'] ) : '';
 
 		if ( $booking_id && $status ) {

Exploit Outline

The exploit targets the AJAX handler for updating reservation statuses. 1. The attacker identifies the ID of a target booking (e.g., through enumeration or guessing). 2. The attacker crafts a malicious HTML page containing an auto-submitting form or a hidden AJAX request. 3. The request is directed to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with the 'action' parameter set to 'rtb_admin_update_booking_status' and the 'status' parameter set to the desired value (e.g., 'closed' or 'trash'). 4. Since no nonce check is performed on the server side, if a logged-in administrator visits the attacker's page, their browser will automatically execute the state-changing request using their active session cookies, successfully updating the booking status without their consent.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.